DONATE
Escalation of cyberthreats in the Middle East

Escalation of Threats in the Middle East

Tanner Wagner
CyberPeace Institute

Further to the intensification of hostilities since 7th October 2023 and the horrific loss of civilian lives, the CyberPeace Institute has observed an escalation in cyberattacks in the context of the ongoing conflict in  Israel and the occupied territories. Cyber operations are being conducted by multiple threat actors, with cyberattacks being directed against both Israeli and Palestinian entities.

Cyberattacks

One of the most used types of cyberattacks linked to the current hostilities in this armed conflict are Distributed Denial of Service (DDoS) attacks. A DDoS attack is when the availability of an online resource such as a website is disrupted due to the malicious flooding of a targeted server with internet traffic. 

Cloudflare detected DDoS attacks against Israeli websites approximately twelve minutes following the armed attack by Hamas on 7th October which led to an appalling loss of civilian lives. Cloudflare reported that Israeli websites have been heavily targeted with DDoS attacks by pro-Palestine threat actors following the events of the 7th of October.1 The CyberPeace Institute has also identified pro-Israel threat actors conducting DDoS attacks against Palestinian websites. Nevertheless, the Institute’s analysis leads to the conclusion that Israeli entities are targeted by DDoS attacks significantly more than Palestinian entities. This could be linked to entities in Israel having more Internet resources than entities in the Occupied and Palestinian Territories, thus providing a greater attack surface for threat actors.

Other types of cyberattacks are also being carried out in the context of these hostilities.  Defacement operations, – where a threat actor alters a website’s appearance, content or functionality, – are being conducted. According to Darkowl, both pro-Palestinian and pro-Israel groups are conducting defacement operations of websites, however, their initial research shows that there are more defacement attacks conducted by pro-Palestinian groups against Israeli websites.2 According to a study conducted by the University of Cambridge Cybercrime Centre, there have been over 500 defacement operations against Israeli websites during the period 7th to 16th of October.3  The CyberPeace Institute has also identified reports of alleged “hack and leak” operations, which is the theft and leak of data for political or ideological purposes. However, these claims have not yet been able to be verified.

Threat Actors

As we have evidenced in the case of the armed conflict in Ukraine, hacktivism plays an important role in how armed conflicts extend to cyberspace. Hacktivist collectives are independent groups of people conducting malicious cyber activities motivated by political or social ideology. According to a report from Falconfeeds, there are at least 90 pro-Palestinian threat actors and 23 pro-Israeli threat actors actively engaged in cyber threats in the context of the conflict.4 Furthermore, certain pro-Russian hacktivists, known for orchestrating cyberattacks linked to the ongoing armed conflict in Ukraine, are also active in attacks in the ongoing Israeli-Palestinian conflict. The CyberPeace Institute has identified the following threat actors  KillNet, Anonymous Sudan, BlueNet Russia and UserSec as having claimed participation in attacks against Israeli entities. 

As previously stated, many of the threat actors conducting cyberattacks are hacktivist collectives. Many of these hacktivist groups allegedly originate from geographic locations, such as Morocco, India, and Indonesia.  This is different to the cyber threats linked to the ongoing armed conflict between the Russian Federation and Ukraine where the threat actors are primarily located in one or other of the two belligerent countries. 

After an initial study carried out by the CyberPeace Institute, we have determined that not all threat actors are attempting to evidence their alleged operations. For example, out of 38 pro-Palestinian threat actors assessed, only 15 provided credible proof of the cyberattacks they claim to have committed. Only 6 out of the 10 pro-Israeli threat actors provided credible proof of the cyberattacks they claim to have committed. There is a realistic probability that hacktivists are not the only type of threat actor involved in this escalation of cyber threats. The cybersecurity company SentinelOne has identified a list of state-sponsored APTs (Advanced Persistent Threats) including APTs linked to Hamas, Hezbollah and Iran capable of conducting more sophisticated cyberattacks. The cybersecurity company also warns of the likelihood of state-sponsored actors masquerading as hacktivist collectives.5

Victimology

The online resources of both Israeli and Palestinian entities are being targeted. In the case of cyberattacks against Israeli entities, Cloudflare has reported that Israeli news media websites have been the main target since the 7th of October 2023 with over 56% of the reported DDoS attacks carried out against them. For example, one of the threat actors, Anonymous Sudan, has claimed to have targeted an Israeli news media site with a DDoS attack causing the website to be down for a period of more than two days consecutively.6 Other targeted sectors include ICT, Financial and Public Administration. The CyberPeace Institute has also identified cyberattacks targeting the Education, Energy and Transportation sectors in Israel.

Palestinian entities in the Financial, ICT and News Media sectors are mainly being targeted by cyberattacks according to Cloudflare. Cyberattacks against the Public Administration sector have also been observed by the CyberPeace Institute. Furthermore, the  Institute has also identified two confirmed DDoS attacks conducted by pro-Israeli threat actors against two NGOs, one local and one international, offering civilian services to Palestinians. The CyberPeace Institute does not publish the identities of targets of cyberattacks to safeguard them from potential harm.

The Institute has also identified a geographic spillover with cyberattacks being carried out in countries beyond Israel and the Occupied and Palestinian territories, for example, there have been cyberattacks against EU Institutions a few days after 7th October 2023. Threat actors claiming involvement in these attacks have stated publicly that this was due to the EU’s initial support of Israel following the Hamas attack of 7th October.

Disinformation

As we have seen in other armed conflicts, information has become an important  part of the conflict.7 Disinformation is false information that is maliciously spread with the intention to mislead. While kinetic operations are ongoing, parties to the conflict are promoting their narrative or version of the hostilities.  Disinformation is explicitly being spread by the belligerents on various social media platforms. It is important to continue to monitor the disinformation in relation to this conflict. The CyberPeace Institute underlines the importance of checking the veracity of information with reliable sources before sharing it in order to reduce the spread of disinformation.

Internet Connectivity in Gaza

Lack of, or reduced, internet connectivity has become a factor affecting the civilian population in Gaza. Even before the recent outbreak of hostilities, Gazans have suffered from the lack of proper access to a stable Internet. Connectivity has continued to degrade since 7th October.8 Internet connectivity in the Gaza Strip started to severely drop following Israel’s military response to Hamas’ armed attack on 7th October. As the Israeli military targets Hamas with kinetic operations in Gaza, Internet and phone services continue to be impacted due to the damage caused to the telecommunications infrastructure. Internet connectivity has also suffered due to power outages following Israeli airstrikes.9 

  • On 27th October, some of the last remaining Internet access through the Palestinian telecommunications company, Paltel, went completely offline.10 
  • On 29th October, Paltel announced that telecommunication services were slowly starting to be restored after a near-total blackout of around 36 hours.11 

The disruption of these services doesn’t only impact military objects but also impacts civilian services who depend on connectivity in order to contact loved ones, seek medical support, access online services, coordinate rescue efforts and much more. Targeting telecommunications networks adds to the confusion and fog of war, thus accentuating the impact on civilians during hostilities. According to Human Rights Watch, the total destruction of telecommunications in Gaza by the Israel Defense Forces not only affects civilians directly by cutting them off from critical infrastructure such as emergency services but could also be considered “disproportionate” under International law.12 

CyberPeace Statement

The CyberPeace Institute condemns the killing and abduction of civilians by Hamas and calls for the immediate release of civilians held by Hamas. The CyberPeace Institute also condemns unrestrained and indiscriminate attacks by Israel which are leading to the deaths and suffering of civilians in Gaza.

We call upon all parties to spare civilians, civilian objects and infrastructure which are ensuring the delivery of essential services, from attacks including cyberattacks and dissemination of harmful content.

The CyberPeace Institute is calling for restraint in the use of cyber, as well as in other attacks. Harm to civilians, civilian objects and infrastructure which are ensuring the delivery of essential services must be avoided.

The CyberPeace Institute calls on all parties to respect their obligations under International Humanitarian Law (IHL). Civilians and other protected persons must be respected and protected at all times.

(This blogpost was updated on 4 December 2023)

  1. Yoachimik, O., Pacheco, J. (2023). ‘Cyber attacks in the Israel-Hamas war’. Cloudflare. Available at: https://blog.cloudflare.com/cyber-attacks-in-the-israel-hamas-war/ (Accessed: 31 October 2023). ↩︎
  2. Darkowl. (2023). ‘Hacktivist Groups Use Defacements in the Israel Hamas Conflict’. Darkowl. Available at: https://www.darkowl.com/blog-content/hacktivist-groups-use-defacements-in-the-israel-hamas-conflict/ (Accessed: 31 October 2023). ↩︎
  3. Vu, A.V. et al. (2023). “Defacement Attacks on Israeli Websites”. University of Cambridge Cybercrime Center. Available at: https://www.cl.cam.ac.uk/~rja14/Papers/gaza.pdf (Accessed: 6 November 2023). ↩︎
  4. Sahariya, M. (2023). ‘The Evolving Landscape of Cyber Warfare in the Israel-Palestine: A Comprehensive Analysis’. Falconfeeds. Available at: https://falconfeeds.io/blog/post/the-evolving-landscape-of-cyber-warfare-in-the-israelpalestine-conflict-a-comprehensive-analysis–356011 (Accessed: 30 October 2023). ↩︎
  5. Hegel, T. (2023). ‘The Israel-Hamas War |Cyber Domain State-Sponsored Activity of Interest’. SentinelOne. Available at: https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/ (Accessed: 31 October 2023). ↩︎
  6. Anonymous Sudan. (2023). Telegram. Available at: https://t.me/xAnonymousSudan/133 (Accessed: 31 October 2023). ↩︎
  7. Helmus, T., Marcellino, W. (2023). ‘Lies, Misinformation Play Key Role in Israel-Hamas Fight’. Rand. Available at: https://www.rand.org/blog/2023/10/lies-misinformation-play-key-role-in-israel-hamas-fight.html (Accessed: 2 November 2023). ↩︎
  8. Ismail, Z. (2023). ‘Internet in Gaza: Limited even before war’. SMEX. Available at: https://smex.org/internet-in-gaza-limited-even-before-war/ (Accessed: 14 November 2023). ↩︎
  9. O’kruk, A., Wilson, R. (2023). ‘Gaza’s disappearing internet, visualized.’ CNN. Available at: https://edition.cnn.com/2023/10/13/middleeast/gaza-internet-outage-map-visuals-dg/index.html (Accessed: 31 October 2023).
    ↩︎
  10. Burgess, M. (2023). ‘The Destruction of Gaza’s Internet is Complete’. Wired. Available at: https://www.wired.com/story/gaza-internet-blackout-israel/ (Accessed: 30 October 2023). ↩︎
  11. Aljazeera. (2023). ‘Internet, phone services return to Gaza after Israeli communications cutoff’. Aljazeera. Available at: https://www.aljazeera.com/news/2023/10/29/internet-phone-services-return-to-gaza-after-communications-blackout (Accessed: 31 October 2023). ↩︎
  12. Human Rights Watch. (2023). X. Available at: https://publish.twitter.com/?query=https%3A%2F%2Ftwitter.com%2Fhrw%2Fstatus%2F1719427260157931999&widget=Tweet (Accessed: 31 October 2023). ↩︎

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.

Donation

Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.

Donate now

Newsletter

Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.